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ABSTRACT 

This  paper  proposes  icons  and  visual  conventions  for  rapid  comprehension  and 
presentation  of  information  security  (INFOSEC)  attack  scenario  information: 


Malicious 


ntruder 
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Buffer  Overflow 


Data  Scavenging 


Theft 


Poorly  Installed  Software 


Attack  scenarios  describe  diverse  ways  to  compromise  the  security  of  computer  systems 
and  networks.  Visual  attack  scenarios  help  defenders  see  system  ambiguities, 
imprecision,  vulnerabilities  and  omissions,  thus  speeding  up  risk  analysis,  requirements 
gathering,  safeguard  selection,  cryptographic  protocol  analysis,  and  INFOSEC  training. 

The  Naval  Research  Laboratory  sponsored  this  work,  a  subset  of  a  larger  working  paper 
Visual  Conventions  for  Information  Attack  Scenarios,^  to  develop  conventions  for 
visualizing  INFOSEC  scenarios.  We  recommend  follow-up  with  focus  groups. 
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Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 
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and  omissions,  thus  speeding  up  risk  analysis,  requirements  gathering,  safeguard  selection,  cryptographic 
protocol  analysis,  and  INFOSEC  training.  The  Naval  Research  Laboratory  sponsored  this  work,  a  subset 
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INTRODUCTION 


As  global  connectivity  increases,  remote  terrorists,  thieves,  spies,  pirates,  or  students  can 
attack  remote  computer  systems  aggressively,  protected  from  prosecution  by  their 
mobility  and  position  outside  national  boundaries.  Malicious  insiders  are  even  more 
dangerous,  thanks  to  authorized  access,  on-going  opportunity,  and  intimate  knowledge  of 
the  systems  they  attack.  Natural  disasters,  like  earthquakes,  floods,  tornadoes,  and 
eleetromagnetie  phenomena,  still  wreak  devastation  on  eomputer  systems  and  networks. 
Man-made  disasters,  such  as  wars,  and  scientific  breakthroughs,  sueh  as  easy  ways  to 
factor  large  prime  numbers,  threaten  to  disrupt  secure  eommunications  and  eleetronie 
eommerce.  Protecting  information  assets  against  these  threats  requires  that  we 
understand  how  they  ean  be  attaeked. 

Figure  1  illustrates  two  attack  scenarios  featuring  a  threat  source  (terrorists)  with  attack 
goals  (obtain  seerets,  money),  who  employs  threat  agents  (haeker  and  insider)  to  attack 
assets  (money,  data)  via  vulnerabilities  (Internet  and  proeedural  weaknesses)  using  attack 
mechanism?,  (e.g.  password  sniffer)  to  produce  impacts  (theft  of  money  and  data). 


Figure  1:  A  terrorist  group  directly  attacks  one  eomputer  site  to  steal  money,  and  hires 
an  insider  to  steal  secrets  from  another.^ 

Visualization  helps  identify  missing  threats,  steps,  and  safeguards  by  making  potential 
attack  scenarios  intelligible  to  a  large  number  of  people.  It  also  helps  motivate  funding 
for  INFOSEC  expenses  and  to  train  and  motivate  personnel  to  follow  INFOSEC 
proeedures. 


DEFINITIONS 


An  information  security  (INFOSEC)  attack  scenario  conveys  a  way  to  compromise  the 
security  of  a  computer  system  or  network,  from  threat  source  to  final  impact. 

A  language  is  a  means  of  communicating  ideas  and  feelings.  A  visual  language  includes 
a  high  percentage  of  graphic  elements  to  empower  the  communication. 

Symbols,  where  one  thing  represents  another,  are  as  old  as  dreams,^  cave  paintings, 
hieroglyphics,  and  poetry.  They  communicate  at  both  cognitive  and  affective  levels. 


Icons  are  graphic  symbols.  Their  power  lies  in  rendering  abstract  ideas  concrete,  such  as 
using  a  flag,  logo,  or  symbol  to  stand  for  country,  organization,  or  abstract  idea. 

Common  icons  include: 


^  4 


Flags  Religions 


Money  3.14 15  Love 


Frameworks  show  relationships  among  components,  as  in  Figure  1.  Iconographic 
“desktop  ”  user-computer  interfaces,'^  the  Periodic  Table  of  the  Elements,^  electronic 
spreadsheets,®  and  TCP/IP  Protocols  Illustrated^  are  powerful  frameworks  for  clarifying 
complexity  and  promoting  innovation.  Edward  Tufte  studied  the  elements  of  superior 
visual  frameworks  in  his  books:  Envisioning  Information,^  and  Visual  Explanations^ 

Assumptions  define  the  scope  of  the  attack  scenario  and  make  implicit  concepts  explicit. 
For  example,  are  attackers  “rational  ”  (i.e.  won’t  spend  more  to  obtain  information  than 
that  information  is  worth).  Do  they  have  “deep  pockets?  ” 

Resources  are  financial,  technical  and  sociopolitical  capabilities  for  carrying  out  attacks. 

Constraints  limit  the  use  of  attack  mechanisms  and  countermeasures.  Constraints  may  be 
financial,  technical,  physical,  ethical,  legal,  environmental,  or  social. 

[$5,000,000] 

Metrics  are  tools  for  measurement.  They  may  be: 

Numeric  (e.g.  count,  percentage,  monetary  value); 

Non-numeric  (e.g.  high-medium-low,  A-B-C-D-F,  one-to-five  star  ratings); 

Fuzzy,^®  non-numeric  scales  that  can  be  assigned  numbers  and  manipulated 
mathematically,  such  as: 

Very  Skillful  (100-80)...  Skillful  (85-35)...Somewhat  Skillful  (35-15)...Not  Skillful  (15-0) 
Metrics  can  be  visualized,  as  shown  on  the  next  page. 


CRITERIA  FOR  EFFECTIVE  VISUALS 


“As  for  a  picture,  if  it  isn’t  worth  a  thousand  words,  the  hell  with  it.  ’’ 

Ad  Reinhardt 


Effective  Icons  are: 

Intuitive,  easy  to  remember,  vivid,  and  easy  to  use; 

Readily  available  without  mueh  effort  or  expense; 

Nonverbal  or  in  English  for  international  usage; 

Understandable  in  both  color  and  black  and  white; 

Reusable  in  different  contexts; 

Flexible  in  size  and  color; 

Performance-sensitive; 

Compatible  with  existing  conventions. 

Effective  Metrics: 

Increase  accuracy  of  information; 

Enhance  quality  of  information; 

Improve  comprehension; 

May  be  hidden  until  needed; 

Speed-up  decision-making. 

Metrics  may  be  put  directly  on  an  icon  or  conveyed  using  color,  texture,  scale,  or  graphs. 


Money  Social  Engineering: 


Hurricane  Categories  1-4 


Solid  =  Very  Skillful 
Dotted  =  Not  Skillful 


See  Hosmer”  and  Tufte^^  for  more  extensive  visualizing  metrics  examples. 

Effective  Frameworks: 

Clarify  patterns  and  relationships  in  a  holistie,  readily  intelligible  way; 
Are  vivid  and  interesting; 

Handle  eomplexity; 

Scale  upward  or  downward; 

Provide  insight  into  the  big  pieture  or  details; 

Illustrate  evolution  over  time; 

Provide  a  vehiele  for  effective  eommunication  among  diverse  parties. 
Strike  a  balanee  between: 


Essential  eoneepts  and  eompleteness; 

Innovation  and  conformity  to  existing  traditions. 


ICONS  FOR  ATTACK  SCENARIOS 


ASSET  ICONS 


Assets  are  things  of  value,  including  hardware,  software,  data,  intellectual  property, 
buildings,  equipment,  personnel,  expertise,  procedures,  national  security,  money,  and 
good  will.  Assets  may  be  classified  as  tangible  or  intangible. 
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Intellectual  Property  Icons: 

TM  (R) 

Patent 


Patent 


Trademark 


liCj 


Trade 
srets 


Intangible  asset  icons: 


Registered  Copyright 
Trademark 


Good  Will 


Asset  valuation  icons,  identified  by  a  tag  with  a  light  green  background,  show  how 
much  an  asset  is  worth  and,  optionally,  how  the  worth  of  the  asset  was  computed. 


Sales  Lead  Data 
Acquisition  Cost  =  40K 


Repiacement 
cost=  $4K 


VULNERABILITY  ICONS 


Software  vulnerabilities: 


Buffer  Overflow 


DDD 


Bug,  i.e. 

Programming  Error 


Random  Number 
Generator  Flaw 


Procedural  vulnerabilities: 


DB 
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Irregular  Backup  Promiscuous  Poor  Installation  Open  Dooi 

software  exchange  of  Software 


Personnel  vulnerabilities: 


In-debt 

Employee 


Disgruntled 

Employee 


Foreign 

Employee 


Misbehaving 

Employee 


Hardware  vulnerabilities: 


Magnetism 
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Wiretapping 


Emanations 


Heat 


DDI 
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Component  Breakdown  Interface  Flaw 


Electrical 

Interference 


ATTACK  ICONS 


Attacks  are  moves  on  opponents’  assets.  They  may  be  well-known  or  novel,  overt  or 
covert,  passive  (e.g.  overhearing  information)  or  aggressive  (e.g.  cutting  phone  wires). 


Direct  Attack 


Indirect  Attack 


Two-stage  attack  (e.g.  plant 
trap-door,  then  use  it  later) 


□ 

Besiege,  Jam,  or  Control 


These  may  be  combined  with  other  icons: 


Forgery 


Attacks  can  also  be  categorized  by  their  goals  or  objectives: 


ATTACK  MECHANISM  ICONS 

Attackers  use  attack  mechanisms  to  exploit  vulnerabilities.  These  may  be  physical 
mechanisms'. 


For  entering  secure  areas: 


For  data  theft: 


Piggybacking 


Forged  key  card 


For  data  destruction: 


Bomb 


Arson 


Electromagnetic 


pulse  (EMP) 


Eor  denial  of  use: 


Overload  Resources 


Software  attack  mechanisms  include: 
For  denial  of  service: 


Worm 


(Fills  computer  with  code) 


Besiege  with  messages 


Encrypt  others’  data: 
with  unknown  key 


Sesame 


Change  others’  passwords: 
For  penetration: 


Password 


Trojan  Horse 


Electronic  Virus 


■Trap  door 


For  theft  using  software: 


For  destruction  using  software: 


e- 


Logic  Bomb 


Attack  events  are  specific  instances  of  attacks,  such  as  the  Dec.  7,  1941  attack  on  Pearl 
Harbor,  or  the  D-Day  Allied  invasion  of  Normandy. 


at  CIA  on  9/22/97  at  2204.22hrs 


Attack  impacts  are  damages  (physical,  financial,  or  intangible)  to  assets. 


Damage  Damage  to  Ship  &  Environment  Infrastructure  Damage 

Impacts  on  assets  can  be  measured.  Typical  impact  metrics  include: 

Number  (  e.g.  number  of  personnel,  planes  or  ships  lost,  months  of  competitive 
advantage  lost); 

Monetary  Value  (e.g.  replacement  costs,  clean  up  costs,  insurance  costs); 
Percentage  (e.g.  market  share  lost,  fall  in  ratings). 


Red  ink  conventionally  means  loss. 


GOAL  AND  MOTIVE  ICONS 

Both  attackers  and  defenders  have  physical,  financial,  or  psychological  goals. 


Attackers’  objectives: 


Steal  goods 


Steal  money 


Beat  Competitors 


Steal  data 


Raise  Rating 


Raise  Grades 


Attacker  motives: 


Visibility/Notoriety 


Challenge 


Defenders’  goals: 


Integrity  Transmission  Data  Integrity  System  Integrity 

Integrity 


Confidentiality 


E  Q 
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Phone  Privacy 


(Personal) 


TOP 

SECRET 


Military  Secrecy 


Defenders’  motives: 


Adhere  to  Regulations 


Minimize  costs 


Enjoy  technical  challenge 


SAFEGUARD  ICONS 


Safeguards  and  countermeasures  reduce  attack  impacts.  Safeguards  protect  specific 
assets  while  countermeasures  prevent,  reduce  or  mitigate  the  impact  of  specific  threats  by 
avoiding  or  transferring  risk,  reducing  vulnerability,  recovering  quickly,  or  reducing 
threat  likelihood. 


Hardware  Safeguards 


Surge  protector  Perimeter  Control 
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Tempest  (emanation  control) 


Underground  facility 


Optical  cable 


Hardware  and  Software  Safeguards: 


Replicated/Distributed  System 
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Biometric  Authentication 


Firewall 


Firewall 


Data  Safeguards: 


Back-up  Direct  data  entry 


Document  Shredder 


Encryption  Public  and  Private  Keys 


*12:23  2/2/00 
Time  Stamp 


Procedural  Safeguards: 


Written  Procedures 


Two-man  rule 


$  $ 


Insurance  Poison  pill 


Official  patches 


Configuration  Management 


INFOSEC 
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^  Security  Policy 


Validation  and  verification 


NATURAL  DISASTER  ICONS 
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Tornado 


■Water 


Dust 
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Earthquake 
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FUTURE  WORK 


Focus  groups  would  refine  these  icons,  making  them  appropriate  for  large  groups  of 
people.  Additional  icons  and  frameworks  are  needed  to  help  visualize  important 
INFOSEC  applications  like  medical  and  e-commerce  privacy.  We  need  to  more 
examples  of  integrating  risk  analysis  metrics  into  the  frameworks. 


CONCLUSION 


This  paper  visualized  INFOSEC  attack  scenarios,  including  threats,  assets,  attackers’  and 
defenders’  goals  and  motives,  system  vulnerabilities,  attack  mechanisms,  safeguards  and 
countermeasures,  and  impacts.  To  do  this  we  created  frameworks,  selected  existing 
icons,  and  created  new  ones  by  combining  existing  fonts,  icons,  and  metrics  in  new  ways 
with  simple  artwork.  For  example: 


Raise  Grade 


Biometric  Authentication 


The  paper  developed  criteria  for  effective  icons,  frameworks,  and  metrics,  and  selected 
visual  conventions  to  convey  many  abstract  attack  scenario  concepts.  For  example: 


Spy 


Attack 


Valuation 


Integrity 


These  conventions  were  used  in  different  combinations  to  convey  related  concepts: 


Reading  Emanations  Data  Scavenging  Integrity  Attack  Valuing  Data  Integrity 

Restrictions  on  paper  length  prevented  us  from  including  here  all  the  icons  and 
frameworks  we  developed.  Inquiries  are  welcome. 
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